Note the “flood and loot” paper is explicitly pointed out in the full disclosure mail post with a discussion of the lightning security model, where spending a HTLC output with a preimage on the outgoing link after the timelock on the incoming HTLC has expired is deemed as illegitimate.

Note, how the issue sounds to generalize to any “revoked” or “invalid” state in off-chain bitcoin protocols, where an attacker might be able to replace cycling package out of the mempool (assuming package relay support and deployment).